Convert String to Dictionary question
Jason Orendorff
jason at jorendorff.com
Fri Feb 15 19:22:16 EST 2002
Brian Kelley writes:
> n.b. pickle and cPickle also use eval to convert representations of
> string values into python strings so security is not a valid reason to
> choose one over the other, yet...
I dunno, let's compare them:
1. pickle/cPickle
There is a small but nonzero possibility of a yet-unknown flaw
in either
(a) either pickle.Unpickler._is_string_secure()
(which I doubt, having checked the function myself) or
(b) the cPickle equivalent
(which I have also checked), or
(b) the way eval() evaluates string literals
(which might have been noticed before now).
The chance that this hypothetical flaw might constitute a
security hole is even smaller but still nonzero.
2. eval()
Well-known gaping security hole.
It seems to me that security is a compelling reason to choose
pickle() over eval(). Am I wrong?
## Jason Orendorff http://www.jorendorff.com/
More information about the Python-list
mailing list